What's on this page
Linkerd.io references
Generating authorization policies for an existing application
Buoyant Enterprise for Linkerd provides powerful and expressive authorization policies that allow you to control the types of traffic that are allowed in your cluster, even at the level of individual HTTP routes or gRPC methods.
The BEL CLI includes a linkerd policy generate command to automatically
generate policy based on existing traffic on your Kubernetes cluster.
Prerequisites
- Buoyant Enterprise for Linkerd installed on a Kubernetes cluster
- The
BUOYANT_LICENSEenvironment variable set, with functioning BEL CLI
Step 1: Install sample app
If you do not already have meshed workloads on your cluster, you can install this sample app to demonstrate policy generation:
curl https://run.linkerd.io/emojivoto.yml |
linkerd inject - |
kubectl apply -f -
linkerd check --proxy
Step 2: Generate policy
To generate policy for all meshed workloads on your cluster, run:
linkerd policy generate
Depending on the number of Linkerd proxies running on your cluster, this command
may take several seconds to minutes. To speed it up, you may increase the
--concurrency flag above the default 10. This command will examine traffic
patterns for all running proxies. For each meshed server and port combination
found, the output will include the following resources:
| Resource | Name |
|---|---|
| Server | [server]-[port] |
| MeshTLSAuthentication | [server]-[port] |
| AuthorizationPolicy | [server]-[port] |
The Server defines the meshed workload and port that is receiving traffic. The
subsequent MeshTLSAuthentication and AuthorizationPolicy define which meshed
workloads are authorized to connect to the Server.
All Server resources have accessPolicy: audit set. In this mode, all meshed
and unmeshed traffic is allowed, to ensure that you can apply the generated
policy to your cluster without inadvertently denying traffic.
To apply the policy, run:
linkerd policy generate | kubectl apply -f -
If a request doesn’t abide to the policy rules, it won’t get denied, but it will
generate a log entry in the proxy at the INFO level with the tag
authz.name=audit along with other useful information.
Once you are confident that all authorized traffic is captured via policy, you
may remove the accessPolicy: audit lines, or re-run the command with the
--disable-audit flag.
Learning more
For more information about using linkerd policy generate, see the
BEL CLI reference page.